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We prove the security of a quantum key distribution 
scheme based on transmission of squeezed quantum states 
of a harmonic oscillator. Our proof employs quantum error- 
correcting codes that encode a finite-dimensional quantum 
system in the infinite-dimensional Hilbert space of an oscilla- 
tor, and protect against errors that shift the canonical vari- 
ables p and q. If the noise in the quantum channel is weak, 
squeezing signal states by 2.5f dB (a squeeze factor = 1.34) 
is sufficient in principle to ensure the security of a protocol 
that is suitably enhanced by classical error correction and pri- 
vacy amplification. Secure key distribution can be achieved 
over distances comparable to the attenuation length of the 
quantum channel. 

I. INTRODUCTION 

Two of the most important ideas to emerge from re- 
cent studies of quantum information are the concepts of 
quantum error correction and quantum key distribution. 
Quantum error correction allows us to protect unknown 
quantum states from the ravages of the environment. 
Quantum key distribution allows us to conceal our pri- 
vate discourse from potential eavesdroppers. 

In fact these two concepts are more closely related than 
is commonly appreciated. A quantum error correction 
protocol must be able to reverse the effects of both bit 
flip errors, which reflect the polarization state of a qubit 
about the x-axis, and phase errors, which reflect the po- 
larization about the z-axis. By reversing both types of 
errors, the protocol removes any entanglement between 
the protected state and the environment, thus restoring 
the purity of the state. 

In a quantum key distribution protocol, two commu- 
nicating parties verify that qubits polarized along both 
the z-axis and the z-axis can be transmitted with an ac- 
ceptably small probability of error. An eavesdropper who 
monitors the x-polarized qubits would necessarily disturb 
the z-polarized qubits, while an eavesdropper who moni- 
tors the z-polarized qubits would necessarily disturb the 
x-polarized qubits. Therefore, a successful veriflcation 
test can show that the communication is reasonably pri- 
vate, and the privacy can then be amplified via classical 
protocols. 
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In quantum key distribution, the eavesdropper collects 
information by entangling her probe with the transmit- 
ted qubits. Thus both error correction and key distribu- 
tion share the goal of protecting quantum states against 
entanglement with the outside world. 

Recently, this analogy between quantum error correc- 
tion and quantum key distribution has been sharpened 
into a precise connection, and used as the basis of a 
new proof of security against all possible eavesdropping 
strategies . Earlier proofs of security (first by Mayers 
and later by Biham et al. made no explicit refer- 
ence to quantum error correction; nevertheless, the con- 
nection between quantum error correction and quantum 
key distribution is a powerful tool, enabling us to invoke 
the sophisticated formalism of quantum error-correcting 
codes in an analysis of the security of quantum key dis- 
tribution protocols. 

Also recently, new quantum error-correcting codes 
have been proposed that encode a finite-dimensional 
quantum system in the infinite-dimensional Hilbert space 
of a quantum system described by continuous variables 
[Q. In this paper, we will apply these new codes to the 
analysis of the security of quantum key distribution pro- 
tocols. By this method, we prove the security of a proto- 
col that is based on the transmission of squeezed quan- 
tum states of an oscillator. The protocol is secure against 
all eavesdropping strategies allowed by the principles of 
quantum mechanics. 

In our protocol, the sending party, Alice, chooses at 
random to send either a state with a well defined posi- 
tion q or momentum p. Then Alice chooses a value of 
q or p by sampling a probability distribution, prepares 
a narrow wave packet centered at that value, and sends 
the wave packet to the receiving party. Bob. Bob decides 
at random to measure either q or p. Through public dis- 
cussion, Alice and Bob discard their data for the cases 
in which Bob measured in a different basis than Alice 
used for her preparation, and retain the rest. To correct 
for possible errors, which could be due to eavesdropping, 
to noise in the channel, or to intrinsic imperfections in 
Alice's preparation and Bob's measurement, Alice and 
Bob apply a classical error correction and privacy am- 
plification scheme, extracting from the raw data for ii 
oscillators a number k < n of key bits. 

Alice and Bob also sacrifice some of their data to per- 
form a verification test to detect potential eavesdroppers. 
When verification succeeds, the probability is exponen- 
tially small in n that any eavesdropper has more than an 
exponentially small amount of information about the key. 
Intuitively, this protocol is secure because an eavesdrop- 



1 



per who monitors the observable q necessarily causes a 
detectable disturbance of the complementary observable 
p (and vice versa). 

Since preparing squeezed states is technically chal- 
lenging, it is important to know how much squeezing is 
needed to ensure the security of the protocol. The answer 
depends on how heavily the wave packets are damaged 
during transmission. When the noise in the channel is 
weak, we show that it suffices in principle for the squeezed 
state to have a width smaller by the factor e~'^ = .749 
than the natural width of a coherent state (correspond- 
ing to an improvement by 2.51 dB in the noise power for 
the squeezed observable, relative to vacuum noise). It is 
also important to know that security can be maintained 
under realistic assumptions about the noise and loss in 
the channel. Our proof of security applies if the proto- 
col is imperfectly implemented, and shows that secure 
key distribution can be achieved over distances compara- 
ble to the attenuation length of the channel. Squeezed- 
state key distribution protocols may have some practical 
advantages over single-qubit protocols, in that neither 
single-photon sources nor very efficient photodetectors 
are needed. 

Key distribution protocols using continuous variable 
quantum systems have been described previously by oth- 
ers , but ours is the first complete discussion of error 
correction and privacy amplification, and the first proof 
of security against arbitrary attacks. 

In §11 we review continuous variable quantum error- 
correcting codes [Q and in §[II we review the argument 
[01 exploiting quantum error-correcting codes to demon- 
strate the security of the BB84 quantum key distribution 
scheme This argument is extended to apply to con- 
tinuous variable key distribution schemes in §IV and §0. 
Estimates of how much squeezing is required to ensure 
security of the protocol are presented in §VI, The ef- 



fects on secu rity of los ses du e to photon absorption are 
analyzed in ^Il| , and § VIII contains conclusions. 



II. CODES FOR CONTINUOUS QUANTUM 
VARIABLES 

We begin by describing codes for continuous quantum 
variables Q . The two-dimensional Hilbert space of an en- 
coded qubit embedded in the infinite-dimensional Hilbert 
space of a system described by canonical variables q and 
p can be characterized as the simultaneous eigenspace of 
the two commuting operators 



Sq — e^*'^^-'* 



Sp = e"*^^^-*^ 



(1) 



the code's "stabilizer generators." If the eigenvalues are 



So 



1, then the allowed values of q and p in the 



code space are integer multiples of y/w, and the code- 
words are invariant under shifts in g or p by integer mul- 
tiples of 2^/^^. Thus an orthogonal basis for the encoded 
qubit can be chosen as 
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The operators 
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commute with the stabilizer generators and so preserve 
the code subspace; they act on the basis eq. @j according 
to 



Z:\-0) 
X:\-0) 
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This code is designed to protect against errors that 
induce shifts in the values of q and p. To correct such 
errors, we measure the values of the stabilizer generators 
to determine the values of q and p modulo y/n, and then 
apply a shift transformation to adjust q and p to the 
nearest integer multiples of -^/tt. If the errors induce shifts 
Aq, Ap that satisfy 



\Aq\ < , \Ap\ < 



(5) 



then the encoded state can be perfectly restored. 

A code that protects against shifts is obtained for any 
choice of the eigenvalues of the stabilizer generators. The 
code with 



-27Tid 



(6) 



can be obtained from the 4>q = (j)p — code by applying 
the phase space translation operator 



(7) 



the angular variables (j>q and 4>p G (—1/2, 1/2] denote the 
allowed values of q/ y/n and p/^/tt modulo an integer. In 
this code space, the encoded operations Z and X (which 
square to the identity) can be chosen to be 



X( 



(8) 



The code with stabilizer eq. (|l|) can be generalized in 
a variety of ways For example, we can increase the 
dimension of the protected code space, and we can modify 
the code to protect against shifts that are asymmetric in 
q and in p. If we choose the stabilizer to be 



Sq{n,a) = exp ^(vzTrd) • (q/a) 
Sp{n,a) = exp —i{y/2Trd) ■ (pa) , 



(9) 
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where d is a positive integer and a is a positive real num- 
ber, then the code has dimension d and protects against 
shifts that satisfy 

... a / 27r , . , 1 / 27r , . 

|A,|<-.^^, |AP|<2^7^. (10) 

The codewords eq. (||) are nonnormalizable states, in- 
finitely "squeezed" in q and p. In practice, we must 
always work with normalizable finitely squeezed states. 
For example, a Gaussian approximation |0) to the ideal 
codeword |0) of the d = 2, a = 1 code, characterized by 
squeezing parameters A^, Ap << 1, is 
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the approximate codeword |0) can be obtained by sub- 
jecting |0) to shifts in q and p governed by Gaussian 
distributions with widths A^ and Ap respectively. If Aq 
and Ap are small, then in principle these shifts can be 
corrected with high probability: e.g, for A^ = Ap = A, 
the probability that a shift in g or p causes an uncor- 
rectable error is no worse than the probability that the 
size of the shift exceeds Vtt/^, or 

2 2 2 

Error Prob < / dq e"«'/^' 

9 A 

< exp(-7r/4A2) . (12) 

TT 

For the d — 2 code with a ^ 1, this same estimate of the 
error probability applies if we rescale the widths appro- 
priately, 

A, A • a , Ap = A/a . (13) 

We can concatenate a shift-resistant code with an 
[[n. A;, d]] stabilizer quantum code. That is, first we en- 
code (say) a qubit in each of n oscillators; then k better 
protected qubits are embedded in the block of n. If the 
typical shifts are small, then the qubit error rate will be 
small in each of the n oscillators, and the error rate in the 
k protected qubits will be much smaller. The quantum 
key distribution protocols that we propose are based on 
such concatenated codes. 

We note quantum codes for continuous quantum vari- 
ables with an infinite- dimensional code space were de- 
scribed earlier by Braunstein and by Lloyd and Slo- 
tine . Entanglement distillation protocols for contin- 
uous variable systems have also been proposed | [Tl] , p^ 



III. QUANTUM KEY DISTRIBUTION AND 
QUANTUM ERROR-CORRECTING CODES 

Now let's recall the connection between stabilizer 
quantum codes and quantum key distribution schemes 

We say that a protocol for quantum key distribution is 
secure if (1) the eavesdropper Eve is unable to collect a 
significant amount of information about the key without 
being detected, (2) the communicating parties Alice and 
Bob receive the same key bits with high probability, and 
(3) the key generated is essentially random. Then if the 
key is intercepted, Alice and Bob will know it is unsafe to 
use the key and can make further attempts to establish 
a secure key. If eavesdropping is not detected, the key 
can be safely used as a one-time pad for encoding and 
decoding.]^ 

Establishing that a protocol is secure is tricky, because 
there inevitably will be some noise in the quantum chan- 
nel used to distribute the key, and the effects of eaves- 
dropping could be confused with the effects of the noise. 
Hence the protocol must incorporate error correction to 
establish a shared key despite the noise, and privacy am- 
plification to control the amount of information about 
the key that can be collected by the eavesdropper. 

In the case of the BB84 key distribution invented by 
Bennett and Brassard |^ , the necessary error correction 
and privacy amplification are entirely classical. Never- 
theless, the formalism of quantum error correction can 
be usefully invoked to show that the error correction and 
privacy amplification work effectively [Q . The key point 
is that if Alice and Bob carry out the BB84 protocol, we 
can show that the eavesdropper is no better off than if 
they had executed a protocol that applies quantum error 
correction to the transmitted quantum states. Appealing 
to the observation that Alice and Bob could have applied 
quantum error correction (even though they didn't really 
apply it), we place limits on what Eve can know about 
the key. 

A. Entanglement distillation 

First we will describe a key distribution protocol that 
uses a quantum error-correcting code to purify entan- 
glement, and will explain why the protocol is secure. 



^We implicitly assume that Eve uses a strategy that passes 
the verification test with nonnegligible probability, so that 
the rate of key generation is not exponentially small. If, for 
example. Eve were to intercept all qubits sent by Alice and 
resend them to Bob, then she would almost certainly be de- 
tected, and key bits would not be likely to be generated. But 
in the rare event that she is not detected and some key bits 
are generated, Eve would know a lot about them. 



3 



The connection between quantum error correction and 
entanglement purification was first empliasized by Ben- 
nett et al. p^; our proof of security follows a proof by 
Lo and Chau ||14| for a similar key distribution protocol. 
Later, following 0|, we will see how the entanglement- 
purification protocol is related to the BB84 protocol. 

A stabilizer code can be used as the basis of an 
entanglement-purification protocol with one-way classi- 
cal communication [^Q. Two parties, both equipped 
with quantum computers, can use this protocol to ex- 
tract from their initial shared supply of noisy Bell pairs 
a smaller number of Bell pairs with very high fidelity. 
These purified Bell pairs can then be employed for EPR 
quantum key distribution. Because the distilled pairs are 
very nearly pure, the quantum state of the pairs has neg- 
ligible entanglement with the quantum state of the probe 
of any potential eavesdropper; therefore no measurement 
of the probe can reveal any useful information about the 
secret key. 

Let's examine the distillation protocol in greater detail. 
Suppose that Alice and Bob start out with n shared EPR 
pairs. Ideally, these pairs should be in the state 

!$(«)) ^ 10+)®" ^ (14) 

where is the Bell state (|00) + \11))/V^; however, 
the pairs are noisy, approximating | <!)(")) with imperfect 
fidelity. They wish to extract k < n pairs that are less 
noisy. 

For this purpose, they have agreed in advance to use 
a particular [[n, k, d]] stabilizer code. The code space 
can be characterized as a simultaneous eigenspace of a 
set of mutually commuting stabilizer generators {Mi, i = 
1,2, . . . ,n — k}. Each Mi is a "Pauli operator," a tensor 
product of n single-qubit operators where each single- 
qubit operator is one of {/, X, Y, Z} defined by 

The operations {Xa, Za, a = 1,2,..., A:} acting on the 
encoded qubits are Pauli operators that commute with 
ah of the M,. 

The Bell state is the simultaneous eigenstate with 
eigenvalue one of the two commuting operators Xa (8) Xb 
and Za®Zb (where subscripts A and B indicate whether 
the operator acts on Alice's or Bob's qubit). Thus the 
state !$(")) is the simultaneous eigenstate with eigen- 
value one of the commuting operators 

Mi^A®Mi^B , i = l,2,...,n-fc , 

^a,A®^a.B , a = 1, 2, . . . , /c , 

Za.A®Za.B. a^\,2,...,k. (16) 

Now suppose that Alice and Bob both measure the n — k 
commuting M^'s. If the state they measure is pre- 



cisely 1$*^"^), then Alice and Bob obtain identical mea- 
surement outcomes. Furthermore, since their measure- 
ments do not disturb the encoded operations Xa and 
Za, their measurement would prepare the encoded state 
l^^'^)) = |(^+)®'^, the encoded state with 

Xa^A ® Xa^B — ^a,A ® ^a,B — 1 , 

a = l,2,...,fc, (17) 

in the code subspace with the specified values of Mi = 
±1. 

However, since the initial pairs are noisy, Alice's and 
Bob's measurement of the M^'s need not match perfectly; 
they should apply error correction to improve the fidelity 
of their encoded pairs. Thus Alice broadcasts the values 
of the Mi.^'s that she obtained in her measurements. 
Comparing to his own measurements. Bob computes the 
relative syndrome Mi^A • Mi^B- From this relative syn- 
drome, he infers what recovery operation he should apply 
to his qubits to ensure that the M^^s's match the Mi^A^-, 
and he performs this operation. Now Alice and Bob are 
in possession of k encoded pairs with improved fidelity. 

These encoded pairs can be used for EPR key distri- 
bution. For each a = 1, 2, . . . , fc, Alice and Bob measure 
Za, obtaining outcomes that are essentially random and 
agree with high probability. These outcomes are their 
shared private key. 

B. Verification 

If the initial pairs are too noisy, either because of the 
intervention of an eavesdropper or for other reasons, then 
the purification protocol might not succeed. Alice and 
Bob need to sacrifice some of their EPR pairs to verify 
that purification is likely to work. If verification fails, 
they can abort the protocol. 

Under what conditions will purification succeed? If 
their pairs were perfect, each would be in the state 10^), 
the simultaneous eigenstate with eigenvalue one of the 
two commuting observables X^X and Z ® Z. Suppose 
for a moment, that each of the pairs is a simultaneous 
eigenstate of these observables (a Bell state), but not 
necessarily with the right eigenvalues: in fact no more 
than tx of the n pairs have X X = —1, and no more 
than tz oi the n pairs have Z ^ Z ^ —1. Then, if Alice 
and Bob use a stabilizer code that can correct up to tz 
bit flip errors and up to tx phase errors, the purification 
protocol will work perfectly — it will yield the encoded 
state ll-t*^)) = 10+)®'= with fidelity F = 1. 

Now, the initial n pairs might not all be in Bell states. 
But suppose that Alice and Bob were able to perform a 
Bell measurement on each pair, projecting it onto a si- 
multaneous eigenstate of X X and Z Z. Of course, 
since Alice and Bob are far apart from one another, they 
cannot really do this Bell measurement. But let's never- 
theless imagine that they first perform a Bell measure- 
ment on each pair, and then proceed with the purifica- 
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tion protocol. Purification works if the Bell measurement 
yields no more than tx pairs with X iSi X = —1 and no 
more than tz pairs with Z ^ Z — —1. Therefore, if the 
initial state of the n pairs has the property that Bell 
measurement applied to all the pairs will, with very high 
probability, produce pairs with no more than tz bit flip 
errors and no more than tx phase errors, then we are 
assured that Bell measurement followed by purification 
will produce a very high fidelity approximation to the 
encoded state | 

But what if Alice and Bob execute the purification 
protocol without first performing the Bell measurement? 
We know that the purification works perfectly applied to 
the space Tigood spanned by Bell pairs that differ from 
10+)®" by no more than tz bit flip errors and no more 
than tx phase errors. Let 11 denote the projection onto 
'^good • Then if the protocol is applied to an initial den- 
sity operator p of the n pairs, the final density operator 
p' approximates |i>(*^)) with fidelity 

Fee (l>W|p'l^"'-'> > tr(np) . (18) 

Therefore, the fidelity is at least as large as the probabil- 
ity that tz or fewer bit fiip errors and tx or fewer phase 
errors would have been found if Bell measurement had 
been performed on all n pairs. 

To derive the inequality eq. (|l^), we represent p as a 
pure state |^')se of the n pairs (the "system" S) and 
an ancilla (the "environment" E, which might be under 
Eve's control) . The recovery superoperator can be repre- 
sented as a unitary operator Usr that is applied to S and 
an auxiliary system (the "reservoir" R) that serves as a 
repository for the entropy drawn from the pairs by error 
correction. Denote the initial pure state of the reservoir 
by |0)i^. Then the state of system, environment, and 
reservoir to which the recovery operation is applied can 
be resolved into a "good" component 

|^'good)5£;i?^ = (Hs <E) Ieb) |^')sB ® \^)r , (19) 
and an orthogonal component 

|*bad)5£J? = {{Is - n^) ® Ier) |*)SE ® |0)fl . (20) 

Since the states |*good)s£;j?, and |^'bad)sBi?. are orthogo- 
nal, the unitary recovery operation Usr, ® Ie maps them 
to states |*good)sEi?^ and \'^'^^a)ser that are also orthog- 
onal to one another. Furthermore, since recovery works 
perfectly on the space Tigood, we have 

\%oo<i)sER - ® \iv.nk)ER , (21) 

where the state |junk) er of environment and reservoir 
has norm 

ER(^mik\]wk)ER = s£;fi(*goodl*good)s£;i?, 

= SEfi(*good|*good)si5ii = tr(np) . (22) 

Thus the fidelity of the recovered state can be ex- 
pressed as 



F = SER (*'| (|$«) s s SER 

= SER{%ood\ (|$('=^)S S($('^|) ®lER\%ood)sER 
+ 5£fl«adl (l*'''>5 s{^^'^\)®lER\Ke^)sER 

= tr(np) + (|.«|pLdl^^'^>>tr(np) , (23) 
where 

Pbad = trsi? (|*bad)sEfl SEfl(*badl) ; (24) 

eq. (|lqj t hen follows. The key point is that, because 
of eq. (^, and because |*good>ssfl and |^'bad)s£;i?^ are 
orthogonal, there is no "good-bad" cross term in eq. ([2^). 

Our arguments so far show that Alice and Bob can 
be assured that entanglement purification will work very 
well if they know that it is highly unlikely that more than 
tz bit flip errors or more than tx phase errors would 
have been found if they had projected their pairs onto 
the Bell basis. While they have no way of directly check- 
ing whether this condition is satisfied, they can conduct 
a test that, if successful, will provide them with high sta- 
tistical confidence. We must now suppose that Alice and 
Bob start out with more than n pairs; to be definite, 
suppose they have about 2n to start, and that they are 
willing to sacrifice about half of them to conduct their 
verification test. Alice randomly decides which pairs are 
for verification (the "check pairs" ) and which are for key 
distribution (the "key pairs" ) , and for each of her check 
qubits, she randomly decides to measure either X or Z. 
Then Alice publicly announces which are the check pairs, 
whether she measured X or Z on her half of each check 
pair, and the results of those measurements (in addition 
to the results of her measurements of the stabilizer gen- 
erators). 

Upon hearing of Alice's choices. Bob measures X or Z 
on his half of each of the check pairs; thus Alice and Bob 
are able to measure X ig) X on about half of their check 
pairs, and they measure Z (g) Z on the remaining check 
pairs. Now since the check pairs were randomly chosen, 
the eavesdropper Eve has no way of knowing which are 
the check pairs, and she can't treat them any differently 
than the key pairs; hence the measured error rate found 
for the check pairs will be representative of the error rate 
that would have been found on the key pairs if Alice 
and Bob had projected the key pairs onto the Bell basis. 
Therefore, Alice and Bob can use their check data and 
classical sampling theory to estimate how many bit fiip 
and phase errors would have been expected if they had 
measured the key pairs. 

For example, in a sample of A'^ pairs, suppose that if 
Alice and Bob both measured Z for all the pairs, a frac- 
tion p of their measurements would disagree, indicating 
bit ffip errors. Then if they randomly sample M < N 
of the pairs, the probability distribution for the number 



5 



M{p — e) of errors found would be^ 

P(e) < cxp(-MeV2p(l - p)) 



(25) 



If Alice and Bob have no a priori knowledge of the value 
of p, then by Bayes' theorem, the conditional probability 
that the total number of errors in the population is pN , 
given that there are pzM errors in the sample, is the 
same as the probability that there are pzM errors in 
the sample given that there are pN errors in the total 
population. Writing p ~ pz + s, the number of errors on 
the - M untested pairs is Np - Mpz = (iV - M)pz + 
Ne = {N - M) ■ {pz + e'), where e' = Ne/iN - M). 
Expressing P{e) in terms of e' we find 



P(.')<exp(- "'f-^^' 

V 2N^pz(l~pz 



(26) 



a bound on the probability that the fraction of the 
untested pairs with errors is larger than pz+e'. In partic- 
ular, if they test about M — n/2 pairs for bit flip errors 
out of a total of about N = n + n/2 pairs, the probability 
that a fraction pz + s' of the remaining N — M = n pairs 
have bit flip errors is 



P{e') < exp {-ne'y9pz{l - Pz)) 



(27) 



A similar argument applies to the probability of phase 
errors. We conclude that by conducting the verification 
test, Alice and Bob can be very confident that, if they had 
measured Z (g) Z (or X (g) X) on the n key pairs, no more 
than {pz + e')n (or {px -f e')n) errors would have been 
found. By choosing a quantum error-correcting code that 
can correct this many errors with high probability, they 
can be confident that the encoded state they prepare ap- 
proximates I^C')) with fidelity exponentially close to one. 

It is important to emphasize that this argument re- 
quires no assumption about how the errors on different 
pairs may be correlated with one another. Rather the 
argument is applied to a hypothetical situation in which 
the value of Z ® Z (or X ® X) already has been mea- 
sured and recorded for all of the check pairs and all of the 
key pairs. Sampling theory is then used to address the 
question: how reliably does a "poll" of M bits randomly 
chosen from among TV allow us to predict the behavior 
of the rest of the population. Classical sampling theory 
can be applied to the values of both Z ® Z and X ® X 
for the key pairs, because the operators commute and so 
are simultaneously measurable in principle Jl4| . 

Furthermore, if the state of the encoded pairs that Al- 
ice and Bob use for key distribution is exponentially close 
to being a pure state, it follows from Holevo's theorem 



■^This bound is not tight. It applies if the sample of M pairs 
is chosen from the population of with replacement. In fact 
the sample is chosen without replacement, which suppresses 
the fluctuations. A better bound was quoted in M. 



that Eve's mutual information with the distributed key is 
exponentially small [p^Pj. In the worst case, the imper- 
fect fidelity of Alice's and Bob's pairs is entirely due to 
Eve's intervention; then the complete state consisting of 
the pairs and Eve's probe is pure, and the Von Neumann 
entropy S{pe) = — tr pE^ogPE of the state pE of the 
probe equals the entropy of the state pab of the pairs. 
By extracting a key from their pairs, Alice and Bob in 
effect prepare a state for Eve governed by an ensemble 
with density matrix pE- According to Holevo's theorem, 
the mutual information I{AB] E) of this state prepara- 
tion with any measurement that Eve can carry out on 
her probe satisfies 



IiAB;E) <SipE)^ S{pab) , 



(28) 



and since pab is very nearly pure, S{pab) and I{AB; E) 
are very close to zero. Specifically, if the fidelity of pab 
is F = 1 — (5, then the largest eigenvalue of pab is at least 
1 — (5. For a system with dimension D, the density matrix 
with largest eigenvalue 1 — 5 that has the maximal Von 
Neumann entropy is 



diag 1 — (5, 



D -I D -I- 



D- 1 



(29) 



for which 



^(Pmax) = -(1 - 5) log2(l - 5) - 5\og^{5 / [D ~ 1)) 

^ \og^{D-l)-\og^5]+0{5'') . (30) 



l0ge2 



Taking D — 2^^ (the total dimension of Alice's and Bob's 
code spaces), we conclude that 



S[p 



AB. 



<5 



1 



loge2 



+ 2k + \og^{l/5)]+0{5^) . (31) 



Finally, we have shown that if the verification test suc- 
ceeds, then with probability exponentially close to one 
(the probability that the error rate inferred from the 
check sample is not seriously misleading). Eve's mutual 
information with the key is exponentially small (because 
the state of the key bits approximates \^'^^^) with fidelity 
exponentially close to one). This proof of security ap- 
plies to any conceivable eavesdropping strategy adopted 
by Eve. 

The proof relies on the ability of quantum error- 
correcting codes to reverse the errors caused by inter- 
actions between the key pairs and Eve's probe. Hence 
it may seem odd that the proof works for arbitrary at- 
tacks by Eve, since quantum error correction works effec- 
tively only for a restricted class of error superoperators. 
Specifically, the error superoperator acting on a block of 
n qubits can be expanded in terms of a basis of "Pauli 
error operators," where in each term of the expansion bit 
flip errors and/or phase errors are inflicted on specifled 
qubits within the block. The encoded quantum informa- 
tion is well protected only if the error superoperator has 
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nearly all of its support on Pauli operators that can be 
corrected by the code, e.g.^ those with no more than tz 
bit flip errors and tx phase errors. 

If Eve's probe interacts collectively with many qubits, 
it may cause more bit flip or phase errors than the code 
can correct. But the crucial point is that, with high 
probability, an attack that causes many errors on the 
key bits will also cause many errors on the check bits, 
and Alice and Bob will detect Eve's presence. 

C. Reduction to the BB84 protocol 

Since the entanglement distillation protocol requires 
only one-way classical communication, this protocol is 
actually equivalent to one in which Alice, rather than 
preparing Bell pairs and sending half of each pair to 
Bob, instead prepares an encoded quantum state that 
she sends to Bob. Using a set of stabilizer generators 
on which she and Bob have agreed in advance, Alice 
chooses a random eigenvalue for each stabilizer generator 
Mi] then employing the corresponding [[n, fc, d]] quantum 
code, she prepares one of 2^ mutually orthogonal code- 
words. 

Alice also decides at random which of her qubits will 
be used for key distribution and which will be used for 
verification. For each of the check bits, she decides at 
random whether to send an X eigenstate (with random 
eigenvalue) or a Z eigenstate (with random eigenvalue). 

Bob receives the qubits sent by Alice, carefully deposits 
them in his quantum memory, and publicly announces 
that the qubits have been received. Alice then publicly 
reveals which qubits were used for the key, and which 
qubits are the check qubits. She announces the stabilizer 
eigenvalues that she chose to encode her state, and for 
each check qubit, she announces whether it was prepared 
as an X or Z eigenstate, and with what eigenvalue. 

Once Bob learns which qubits carry the encoded key in- 
formation, he measures the stabilizer operators and com- 
pares his results with Alice's to obtain a relative error 
syndrome. He then performs error recovery and mea- 
sures the encoded state to decipher the key. 

Bob also measures the check qubits and compares the 
outcomes to the values announced by Alice, to obtain 
an estimate of the error rate. If the error rate is low 
enough, error recovery applied to the encoded key bits 
will succeed with high probability, and Alice and Bob 
can be confident in the security of the key. If the error 
rate is too high. Bob informs Alice and they abort the 
protocol. 

As described so far, the protocol requires that Alice 
and Bob have quantum memories and quantum comput- 
ers that are used to store the qubits, measure stabilizer 
generators, and correct errors. But if they use a stabilizer 
code of the CSS (Calderbank-Shor-Steane) type |l|,|l6|, 
then the protocol can be simplified further. The crucial 
property of the CSS codes is that there is a clean separa- 



tion between the syndrome information needed to correct 
bit fiip errors and the syndrome information needed to 
correct phase errors. 

A CSS quantum stabilizer code is associated with a 
classical binary linear code Ci on n bits, and a subcode 
C2 C Ci. Let Hi denote the parity check matrix of Ci 
and H2 the generator matrix for the code C2 (and hence 
the parity check matrix of the dual code C^). The stabi- 
lizer generators of the code are of two types. Associated 
with the zth row of the matrix Hi is a "Z-generator," the 
tensor product of /'s and Z's 

Mz,^ = ®%l{Z,)^"'^'^ . (32) 

and associated with the ith row of H2 is an "X- 
generator," the tensor product of Ps and X's 

Mx,, = ®7=i(X,)(^^)- . (33) 

Since Hi has n — ki rows, where ki = dim(Ci), and H2 
has k2 rows, where k2 = dim(C2) there are all together 
n — ki + k2 stabilizer generators, and the dimension of 
the code space (the number of encoded qubits) is A; = 
ki — k2. From measurements of the Z generators, bit fiip 
errors can be diagnosed, and from measurement of the X 
generators, phase errors can be diagnosed. 

The elements of a basis for the code space with eigen- 
values of stabilizer generators 

Mz,^ = (-1)^' , Mx,^ = (-1)*' (34) 

are in one-to-one correspondence with the k cosets of C2 
in Ci; they can be chosen as 

= 777^ E + ^ + ; (35) 

' ^' weC2 

here w G Ci is a representative of a C2 coset, and x, z 
are 71-bit strings satisfying 

Hix = s , H2Z = t . (36) 

Thus, to distribute the key, Alice chooses x and z at ran- 
dom, encodes one of the \i{;{v))x,z^s, and sends the state 
to Bob. After Bob confirms receipt, Alice broadcasts the 
values of x and z. Bob compares Alice's values to his 
own measurements of the stabilizer generators to infer 
a relative syndrome, and he performs error correction. 
Then Bob measures Z of each of his n qubits, obtaining 
a bit string v + w + x. Finally, he subtracts x and applies 
H2 to compute H2V, from which he can infer the coset 
represented by v and hence the key. 

Now notice that Bob extracts the encoded key infor- 
mation by measuring Z of each of the qubits that Alice 
sends. Thus Bob can correctly decipher the key informa- 
tion by correcting any bit fiip errors that occur during 
transmission. Bob does not need to correct phase errors, 
and therefore he has no use for the phase syndrome in- 
formation; hence there is no need for Alice to send it. 
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Without in any way weakening the effectiveness of the 
protocol, Ahce can prepare the encoded state \tp{v))x,z, 
but discard her value of z, rather then transmitting it; 
thus we can consider the state sent by Alice to be av- 
eraged over the value of z. Averaging over the phase 
(— l)^''" destroys the coherence of the sum over w € C2 
in \ip{v))x.z] in effect, then, Alice is preparing n qubits as 
Z eigenstates, in the state \v + w + x), sending the state 
to Bob, and later broadcasting the value of x. We can 
just as well say that Alice sends a random string u, and 
later broadcasts the value oi u + v. Bob receives u + e 
(where e has support on the bits that flip due to errors) 
extracts v + e, corrects it to the nearest Ci codeword, 
and infers the key, the coset w + C2 . 

Alice and Bob can carry out this protocol even if Bob 
has no quantum memory. Alice decides at random to 
prepare her qubits as X or Z eigenstates, with random 
eigenvalues, and Bob decides at random to measure in 
the X OT Z basis. After public discussion, Alice and Bob 
discard the results in the cases where they used different 
bases and retain the results where they used the same 
basis. Thus the protocol we have described is just the 
BB84 protocol invented by Bennett and Brassard ac- 
companied by classical error correction (adjusting v -\- e 
to a Ci codeword) and privacy amplification (extracting 
the coset u -|- C2). 

What error rate is acceptable? In a random CSS code, 
about half of the n — k generators correct bit flips, and 
about half correct phase flips. Suppose that the verifica- 
tion test finds that bit fiip errors {Za ^ Zb = —1) occur 
with probabihty p2 and phase errors {Xa(^Xb = — 1) oc- 
cur with probability px- Classical coding theory shows 
that a random CSS code can correct the bit flips with 
high probability if the number of typical errors on n bits 
is much smaller than the number of possible bit flip error 
syndromes, which holds provided that 

\npzj 

where H2{x) — —x log2 x—{l — x) log2(l — x) is the binary 
entropy function. Similarly, the phase errors can be cor- 
rected with high probability provided the same relation 
holds with pz replaced hy px- Therefore, asymptotically 
as n ^ 00, secure key bits can be extracted from trans- 
mitted key bits at any rate R satisfying 

R=- <l-2H2{pz) , 
n 

R^- <l-2H2{px) ■ (38) 
n 

This upper bound on R crosses zero at pz (or px) = 
.1100. We conclude that secure key distribution is possi- 
ble if px,z < 11%- 

The random coding argument applies if the errors in 
the key qubits are randomly distributed. To assure that 
this is so, we can direct Alice to perform a random per- 
mutation of the qubits before sending them to Bob. After 



Bob confirms receipt, Alice can broadcast the permuta- 
tion she performed, and Bob can invert it. 

Again, the essence of this argument is that the amount 
of information that an eavesdropper could acquire is lim- 
ited by how successfully we could have carried out quan- 
tum error correction if we had chosen to - and that this 
relation holds irrespective of whether we really imple- 
mented the quantum error correction or not. 

Other proofs of the security of the BB84 protocol have 
been presented [|[|| , which don't make direct use of this 
connection with quantum error-correcting codes. How- 
ever, these proofs do use classical error correction and pri- 
vacy amplification, and they implicitly exploit the struc- 
ture of the CSS codes. 



D. Imperfect sources 

Our objective in this paper is to analyze the secu- 
rity of key distribution schemes that use systems de- 
scribed by continuous quantum variables. The analysis 
will follow the strategy we have just outlined, in which an 
entanglement-purification protocol is reduced to a pro- 
tocol that does not require the distribution of entangle- 
ment. But first we need to discuss a more general version 
of the argument. 

In the entanglement-purification protocol, whose re- 
duction to the BB84 protocol we have just described, 
there is an implicit limitation on the eavesdropper's ac- 
tivity. We have assumed that Alice prepares perfect en- 
tangled pairs in the state \(p^), and then sends half of 
each pair to Bob. Eve has been permitted to tamper with 
the qubits that are sent to Bob in any way she chooses, 
but she has not been allowed any contact with Alice's 
qubits. Therefore, if we imagine that Alice measures her 
qubits before sending to Bob, we obtain a BB84 proto- 
col in which Alice is equipped with a perfect source of 
polarized qubits. When she sends a Z eigenstate, the 
decision to emit a |0) or a |1) is perfectly random, and 
the state emerges from her source with perfect fidelity. 
Similarly, when she sends an X eigenstate, the decision 
to send |±) = (|0) ± |l))/-\/2 is perfectly random, and the 
state is prepared with perfect fidelity. Furthermore, Eve 
has no knowledge of what Alice's source does, other than 
what she is able to infer by probing the qubits as they 
travel to Bob. 

Security can be maintained in a more general scenario. 
In the entanglement-purification protocol, we can allow 
Eve access to Alice's qubits. As long as Eve has no way 
of knowing which pairs Alice and Bob will select for their 
verification test, and no way of knowing whether the 
check pairs will be measured in the Z or X basis, then 
the protocol still works: eavesdropping can be detected 
irrespective of whether Eve probes Alice's qubits, Bob's 
qubits, or both. 

Now if we imagine that Alice measures her qubits be- 
fore sending to Bob, we obtain a BB84-like protocol in 
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which Ahce's source is imperfect and/or Eve is able to 
collect some information about how Alice's source be- 
haves. Our proof that the BB84-like protocol is secure 
still works as before. However the proof applies only to a 
restricted type of source — it must be possible to simulate 
Alice's source exactly by measuring half of a two-qubit 
state. 

To be concrete, consider the following special case, 
which will suffice for our purposes: Alice has many iden- 
tical copies of the two-qubit state Pab- To prepare a 
"Z-state" she measures qubit A in the basis {|0)^, 
Thus she sends to Bob one of the two states 



Pi 



\pab\Q). 



tr U(0|pab|0)a) 
a{1\pab\^)a 



iY {a{1\pab\1) a) ' 
chosen with respective probabilities 



(39) 



Prob(O) 
Prob(l) 



tr U(0|pas|0)a) 
tr {a{1\pab\1)a) 



(40) 



Similarly, to prepare an X-state she measures in the basis 
{|+); sending one of 



P+ 
P- 



\Pab\ 



tr {a{+\pab\+)a) 
a{-\pab\-)a 



tr {a{-\pab\-)a) 
chosen with respective probabilities 



(41) 



Prob(- 
Prob(- 



tr {a{+\pab\ 
tr {a{-\pab\ 



-)a) 
-)a) 



(42) 



Unless the state pab is precisely the pure state Al- 
ice's source isn't doing exactly what it is supposed to do. 
Depending on how pab is chosen, the source might be 
biased; for example it might send po with higher proba- 
bility than pi . And the states po and pi need not be the 
perfectly prepared |0) and |1) that the protocol calls for. 

Now suppose that Alice's source always emits one of 
the states poj Pii P+j P-i a-nd that after the qubits emerge 
from the source. Eve is free to probe them any way she 
pleases. Even though Alice's source is flawed, Alice and 
Bob can perform verification, error correction, and pri- 
vacy amplification just as in the BB84 protocol. To ver- 
ify. Bob measures Z or X, as before; if he measures Z, 
say, they check to see whether Bob's outcome |0) or |1) 
agrees with whether Alice sent po or pi (even though the 
state that Alice sent may not have been a Z eigenstate). 
Thereby, Alice and Bob estimate error rates pz and px ■ 
If both error rates are below 11%, then the protocol is 
secure. 

We emphasize again that the security criterion 
Px,Pz < 11% applies not to all sources, but only to the 
restricted class of imperfect sources that can be simulated 



by measuring half of a (possible noisy) entangled state. 
To give an extreme example of a type of source to which 
the security proof does not apply, suppose that Alice al- 
ways sends the Z-state |0) or the X-state |-|-). Clearly 
the key distribution protocol will fail, even if Bob's bits 
always agree with Alice's! Indeed, a source with these 
properties cannot be obtained by measuring half of any 
two-qubit state pab- Rather, if the source is obtained by 
such a measurement, then a heavy bias when we send a 
Z-state would require that the error probability be large 
when we send an X-state. 



IV. DISTRIBUTING A KEY BIT WITH 
CONTINUOUS VARIABLES 

Now let's consider how the above ideas can be applied 
to continuous variable systems. We will first describe how 
in principle Alice and Bob can extract good encoded pairs 
of qubits from noisy EPR pairs. However, the distillation 
protocol requires them to make measurements that are 
difficult in practice. Then we will see how key distribu- 
tion that invokes (difficult) entanglement distillation can 
be reduced to key distribution based on (easier) prepa- 
ration, transmission, and detection of squeezed states. 

Suppose that Alice and Bob share pairs of oscillators. 
Ideally each pair has been prepared in an EPR state, a 
simultaneous eigenstate (let's say with eigenvalue 0) of 
<IA — q_B and pA + Pb- Now suppose that Alice mea- 
sures the two commuting stabilizer generators defined in 
eq. (0), obtaining the outcomes 



Sg^A = e^''"*'-'-^ 



Sp,A — 



or 



QA = <j>q,A ■ Vtt (mod \/tt) , 
PA = 4>p,A ■ Vtt (mod Vtt) . 



(43) 



(44) 



Now, the initial state was an eigenstate with eigenvalue 
one of the operators Sq^A ® and Sp,A (8) Sp,B- The 
observables measured by Alice commute with these, and 
so preserve their eigenvalues. Thus if the initial EPR 
state of the oscillators were perfect, Alice's measurement 
would also prepare for Bob a simultaneous eigenstate of 
the stabilizer generators with 



q,B 



p,B 



or 



qB = QA (mod ^/tt) , 
PB = -PA (mod 



(45) 



(46) 



Similarly, the initial state was an eigenstate with eigen- 
value one of the observables 



XAi4>p) XBi4>p) , ZA{4>q) 



(47) 
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which also commute with the stabihzer generators that 
AUce measured. Thus AUce's measurement has prepared 
an encoded Bell pair in the code space labeled by {(f)q, <pp), 
the state 

\^+)ab = ^mA\0)B + \1)a\1)b) . (48) 

Of course the initial EPR pair shared by Alice and Bob 
might be imperfect, and then the encoded state produced 
by Alice's measurement will also have errors. But if the 
EPR pair is not too noisy, they can correct the errors with 
high probability. Alice broadcasts her measured values of 
the stabilizer generators to Bob; Bob also measures the 
stabilizer generators and compares his values to those 
reported by Alice, obtaining a relative syndrome 

gi{4><l,A-<l>q,B) ^ g-i((t>p,A+<t>p,B) _ ^4g^ 

That is, the relative syndrome determines the value of 
lA — <1B (mod ^/t:), and Pa + Ps (mod ^/n). Using this 
information, Bob can shift his oscillator's q and p (by an 
amount between — \/7r/2 and \/7r/2) to adjust — qB 
(mod ^/tt), and pA + Pb (mod ^/tF) both to zero. The 
result is that Alice and Bob now share a bipartite state 
in the code subspace labeled by {(j)q, (f>p). 

If the initial noisy EPR state differs from the ideal EPR 
state only by relative shifts of Bob's oscillator relative to 
Alice's that satisfy lAg], |Ap| < then the shifts 

will be corrected perfectly. And if larger shifts are highly 
unlikely, then Alice and Bob will obtain a state that ap- 
proximates the desired encoded Bell pair with good 
fidelity. This procedure is a "distillation" protocol in that 
Alice and Bob start out with a noisy entangled state in 
a tensor product of infinite dimensional Hilbert spaces, 
and "distill" from it a far cleaner entangled state in a 
tensor product of two-dimensional subspaccs. 

Once Alice and Bob have distilled an encoded Bell pair, 
they can use it to generate a key bit, via the usual EPR 
key distribution protocol: Alice decides at random to 
measure either X or Z, and then publicly reveals what 
she chose to measure but not the measurement outcome. 
Bob then measures the same observable and obtains the 
same outcome - that outcome is the shared key bit. 

How do they measure X or Z7 If Alice (say) wishes to 
measure Z, she can measure q, and then subtract (j)q from 
the outcome. The value of Z is determined by whether 
the result is an even {Z = 1) or an odd {Z = —1) mul- 
tiple of ^/n. Similarly, if Alice wants to measure X, she 
measures p and subtracts cfip - The value of X is deter- 
mined by whether the result is an even {X = 1) or an 
odd {X = —1) multiple of 

Imperfections in the initial EPR pairs are inescapable 
not just because of experimental realities, but also be- 
cause the ideal EPR pairs are unphysical nonnormal- 
izable states. Likewise, the stabilizer operators cannot 
even in principle be measured with arbitrary precision 
(the result would be an infinite bit string), but only to 
some finite m-bit accuracy. Still, if the EPR pairs have 



reasonably good fidelity, and the measurements have rea- 
sonably good resolution, entanglement purification will 
be successful. 

To summarize, Alice and Bob can generate a shared bit 
by using the continuous variable code for entanglement 
purification, carrying out this protocol: 

Key distribution with entanglement purification 

1: Alice prepares (a good approximation to) an EPR 
state of two oscillators, a simultaneous cigenstate 
oi qA — qB = = Pa + Pb, and sends one of the 
oscillators to Bob. 

2: After Bob confirms receipt, Alice and Bob each 
measure (to m bits of accuracy) the two commut- 
ing stabilizer generators of the code, e*^^^^^ and 
g-!(2s/¥)p (Equivalently, they each measure the 
value of q and p modulo y/n.) Alice broadcasts her 
result to Bob, and Bob applies shifts in q and p to 
his oscillator, so that his values of q and p mod- 
ulo -/n now agree with Alice's (to m-bit accuracy). 
Thus, Alice and Bob have prepared (a very good 
approximation to) a Bell state \(f>'^) of two qubits 
encoded in one of the simultaneous eigenspaces of 
the two stabilizer operators. 

3: Alice decides at random to measure one of the en- 
coded operators X or Z; then she announces what 
she chose to measure, but not the outcome. Bob 
measures the same observable; the result is the 
shared bit that they have generated. 

Now notice that, except for Bob's confirmation that he 
received the states, this protocol requires only one-way 
classical communication from Alice to Bob. Alice does 
not need to receive any information from Bob before she 
measures her stabilizer operators or before she measures 
the encoded operation X or Z. Therefore, the protocol 
works just as well if Alice measures her oscillator before 
sending the other one to Bob. Equivalently, she prepares 
an encoded state, adopting randomly selected values of 
the stabilizer generators. She also decides at random 
whether the encoded state will be an X eigenstate or a 
Z eigenstate, and whether the eigenvalue will be -1-1 or 
-1. 

Again, since the codewords are unphysical nonnormal- 
izable states, Alice can't really prepare a perfectly en- 
coded state; she must settle for a "good enough" approx- 
imate codeword. 

In summary, we can replace the entanglement- 
purification protocol with this equivalent protocol: 

Key distribution with encoded qubits 

1: Alice chooses random values (to m bits of accuracy) 
for the stabilizer generators e**^^^^'' and e^^^^^'^P, 
chooses a random bit to decide whether to encode 
a Z eigenstate or an X eigenstate, and chooses an- 
other random bit to decide whether the eigenvalue 
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will be ±1. She then prepares (a good approxima- 
tion to) the encoded eigenstate of the chosen oper- 
ator with the chosen eigenvalue in the chosen code, 
and sends it to Bob. 
2: After Bob confirms receipt, Alice broadcasts the 
stabilizer eigenvalues and whether she encoded a Z 
or an X. 

3: Bob measures q or p. He subtracts from his out- 
come the value modulo ^fii determined by Alice's 
announced value of the stabilizer generator, and 
corrects the result to the nearest integer multiple 
of \pK. He extracts a bit determined by whether the 
multiple of ^Jt^ is even or odd; this is the shared bit 
that they have generated. 

To carry out this protocol, Alice requires sophisti- 
cated tools that enable her to prepare the approximate 
codewords, and Bob needs a quantum memory to store 
the state that he receives until he hears Alice's classical 
broadcast. However, we can reduce the protocol to one 
that is much less technically demanding. 

When Bob extracts the key bit by measuring (say) q, 
he needs Alice's value of q modulo -^Tr, but he does not 
need her value of the other stabilizer generator. There- 
fore, there is no need for Alice to send it; surely, the 
eavesdropper will be no better off if Alice sends less clas- 
sical information. If she doesn't send the value of S'p, then 
we can consider the protocol averaged over the unknown 
value of this generator. Formally, for perfect (nonnor- 
malizable) codewords the density matrix describing the 
state that is accessible to a potential eavesdropper then 
has a definite value of Sq but is averaged over all possible 
values of - it is a (nonnormalizable) equally weighted 
superposition of all position eigenstates with a specified 
value of q mod \pK\ e.g. in the case where Alice prepares 
a Z eigenstate, we have 

p{(l)g,Z = 1) 



oc 



^ |<? - (2s + </),) V^) {q = (2s -I- 0,) V^l 



p{(j)q,Z ^ -1) 

(X^\q ^ (2s + 1 + <l>g)^/^){q = {2s + 1 + (j)q)V^\ . 

(50) 

Averaged over as well, Alice is sending a random po- 
sition eigenstate. Likewise, in the case where Alice pre- 
pares an X eigenstate, she sends a random momentum 
eigenstate. 

Therefore, the protocol in which Alice prepares en- 
coded qubits can be replaced by a protocol that is simpler 
to execute but is no less effective and no less secure. In- 
stead of bothering to prepare the encoded qubit, she just 
decides at random to send either a q or p eigenstate, with 
a random eigenvalue. If Bob had a quantum memory, he 
could store the state, and wait to hear from Alice whether 
the state she sent was a q ot p eigenstate; then he could 



measure that observable. Subtracting (pgy/n (or (jip^/n) 
from his measurement outcome, he would obtain an even 
or odd multiple of ^/tF. 

But Bob does not really need the quantum memory. 
As in the BB84 protocol, it suffices for Bob to decide 
at random to measure either q or p, and then publicly 
compare his basis with Alice's. They discard the results 
where they used different bases and retain the others. 

A problem with this procedure is that the position and 
momentum eigenstates are unphysical nonnormalizable 
states, and the probability distribution that Alice sam- 
ples to decide on what value of g or p to send is also 
nonnormalizable. For it to implementable, we need to 
modify the procedure so that Alice sends narrow q or p 
wave packets, and chooses the position of the center of 
the wave packet by sampling a broad but normalizable 
distribution. 

Therefore, Alice and Bob can adopt the following pro- 
tocol: 

Key distribution with squeezed states 

1: Alice chooses a random bit to decide whether to 
send a state squeezed in q or in p. She samples 
a (discrete approximation to) a probability distri- 
bution Ppos('?) or i-'mom(p) to choosc & valuc of q 
or p, and then sends to Bob a narrow wave packet 
centered at that value. 

2: Bob receives the state and decides at random to 
measure either q or p. 

3: After Bob confirms receipt, Alice and Bob broad- 
cast whether they sent/measured in the q or p basis. 
If they used different bases, they discard their re- 
sults. If they used the same basis, they retain the 
result and proceed to Step 4. 

4: Alice broadcasts the value that she sent, modulo 
y/n (to m-bit accuracy). Bob subtracts Alice's 
value from what he measured, and corrects to the 
nearest integer multiple of ^/tt. He and Alice ex- 
tract their shared bit according to whether this in- 
teger is even or odd. 



V. A SECURE PROTOCOL USING 
CONTINUOUS VARIABLES 



Now we are ready to combine the protocol of §111 with 
the protocol of §|^. The result is a protocol based on con- 
catenating the continuous variable code with an [[n, k, d]] 
binary CSS code. The concatenated code embeds a 
fc-dimensional Hilbert space in the infinite-dimensional 
Hilbcrt space of n oscillators. 

Again, we first imagine that Alice and Bob carry out an 
entanglement distillation protocol. They start out shar- 
ing n pairs of oscillators, each in a (noisy) EPR state. By 
measuring the stabilizer generators of the concatenated 
code, they distill k encoded Bell pairs of much better fi- 
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delity, and then generate a key by measuring the encoded 
Bell pairs. 

By once again following the chain of reductions re- 
counted in §[n and we arrive at an equivalent proto- 
col involving transmission of squeezed states. The com- 
plete protocol, including verification, error correction, 
and privacy amplification, becomes: 

Continuous-variable QKD 

1: Alice has {A + S)n oscillators. For each oscillator, 
Alice decides at random to prepare either a state 
squeezed in g or a state squeezed in p. The posi- 
tion of the squeezed state is determined by sam- 
pling (a discrete approximation to) a probability 
distribution Ppos('z) or Pmom(p)- Alice then sends 
the oscillators to Bob. 

2: Bob receives the (4-|-i5)n oscillators, measuring each 
in the q or p basis at random. 

3: Bob confirms that the oscillators have been re- 
ceived, and then Alice announces whether each os- 
cillator was squeezed in q or in p. 

4: Alice and Bob discard the results in the cases where 
Bob measured in a different basis than Alice used 
in her preparation. With high probability, there 
are at least 2n measured values left (if not, abort 
the protocol). Alice decides randomly on a set of 
2n values to use for the protocol, and chooses at 
random n of these to be check values. 

5: For all 2n measured values, Alice announces the 
value of (7 or p modulo -0? (to m bits of accuracy). 

6: Bob subtracts the corresponding number an- 
nounced by Alice from each of his measured values, 
and then corrects the result to the nearest integer 
multiple of -^/tF. Bob and Alice now extract bit val- 
ues determined by whether the multiple of -^/tt is 
even or odd. 

7: Alice and Bob announce the values of their check 
bits. If too few of the check bits agree, they abort 
the protocol. 

8: Alice announces u -)- w, where u is the string con- 
sisting of the remaining non-check bits, and u is a 
random codeword in Ci . 

9: Bob subtracts u -\- v from his code qubits, u + e, 
and corrects the result, u -I- e, to a codeword in Ci. 
With high probability, Bob recovers v. 
10: Alice and Bob use the C2 coset v + C2 as the key. 

Here, to be specific, we have instructed Alice and Bob 
to sacrifice n check bits for each n bits that are used for 
key distribution. They might instead use fewer or more, 
depending on how stringent a bound on the eavesdrop- 
per's mutual information they require. 

The check bits provide Alice and Bob with estimates 
of the bit error rates pz (respectively px) when states 
squeezed in q (respectively p) are transmitted. Our anal- 
ysis of the BB84 protocol indicates that the squeezed 
state protocol is secure provided that pz and px are both 



below 11%, and assuming that Alice and Bob scramble 
and unscramble the oscillators (by applying a random 
permutation and its inv erse). 

However, as noted in §HID, the proof and the security 
criterion pz,Px < 11% apply only if Alice's source can 
be simulated by measuring half of an entangled state of 
two oscillators. In particular, we may imagine that Alice 
has many pairs of oscillators identically prepared in the 
state pAB , and that she prepares the state that she sends 
to Bob by measuring oscillator A. When she measures in 
the q basis, she sends the state 



Psiq) 



A{q\pAB\q)A 

tr {A{q\pAB\q)A) 



(51) 



with probability 



Pposiq)^triA{q\pAB\q)A) , (52) 
and when she measures in the p basis, she sends the state 
a{p\pab\p)a 



Pb{p) 



tr {A{q\pAB\q)A) 



with probability 



Pmoraip) = {a{p\PAb\p) a) 



(53) 



(54) 



Thus, the states that Alice sends need not be perfect po- 
sition or momentum eigenstates for the proof of security 
to work, and Alice's source might even have a bias so that 
the raw key bit carried by an oscillator is more likely to 
be a than a 1. Still, for a source of this type, if Alice 
and Bob verify that the error rate for the raw key bits is 
below 11% in both bases, then the protocol is p rovably 
secure. We will discuss examples in §VI and§VII. 




FIG. 1. One-sigma contours of the Wigner functions for 
typical squeezed states used in the quantum key distribution 
protocol, with squeeze factor A = — 1/2. The signal 
states squeezed in p and in q overlap with one another, pre- 
venting Eve from learning about one without disturbing the 
other. 
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Intuitively, the squeezed state protocol is secure be- 
cause the eavesdropper cannot monitor the value of q 
(or p) transmitted without introducing a detectable dis- 
turbance in the complementary observable p (or q). As 
shown in Fig. ^ the Wigner functions of the signal states 
squeezed in p and in q overlap, so that the states cannot 
be reliably distinguished. 



VI. GAUSSIAN STATES 

Perfectly squeezed states (position or momentum 
eigenstates) are unphysical nonnormalizable states, so 
the protocol will actually be carried out with imperfectly 
squeezed states. Furthermore, engineering a source that 
produces highly squeezed states would be quite techni- 
cally demanding. How much squeezing is really needed 
for the protocol to be secure? A related question is, how 
must we choose the probability distributions Ppos (?) and 
-Pmom(p) that govern the center of the squeezed state? 

We will analyze the most favorable case, in which the 
squeezed states are Gaussian wave packets and the prob- 
ability distributions are also Gaussian. We will begin 
again with a description of how the code is used for en- 
tanglement purification, but where Alice and Bob start 
with many copies of a Gaussian entangled pair of oscil- 
lators that is an approximate eigenstate of qA — qs and 
Pa + Pb ■ If we imagine that Alice measures half of each 
pair before she sends the other half to Bob, then we ob- 
tain a protocol in which Alice sends imperfectly squeezed 
states governed by a particular probability distribution. 

The initial Gaussian entangled state of the two oscil- 
lators is 



IV^(A)) 



AB 



1 



X exp 



dqAdqB exp 



1 



-\{qA-qBf/^^ 



qA + qB 



\qA,qB) 



-j= I dpAdpB exp 



1.2 f PA-PB 
2 I 2 



X exp 



(pA+PBf/A' 



\pa,Pb) , (55) 



where is real and positive. Since \iIj(A))ab is actually 
invariant under 



A2 ^ 4/A2 , qe -qB 



PB 



-PB 



(56) 



we may assume without loss of generality (changing the 
sign of the position and momentum of Bob's oscillator 
if necessary), that < A^ < 2. In the limiting case 
A^ = 2, \'i(;{A))ab becomes the product of two oscillator 
vacuum states. For A^ < 2, it is an entangled state. The 
amount of entanglement shared between the oscillators, 
in "ebits," is defined as 



E{A) EE S{pa) = -tr PA log2 PA , 



(57) 



(the Von Neumann entropy of Alice's density matrix 
PA — trslV'(A)) (V'(A)I), and can be expressed as @ 



E{A) ^ (coshV)log2 (cosher) 
— (sinh^ r) log2(sinh^ r) 



where 



A^ = 2e 



'2r 



(58) 



(59) 



In this entangled state, if Alice measures the position 
of her oscillator and obtains the outcome qA, she prepares 
for Bob the Gaussian state 



mA))i 

where 
and 



1 



(7rA2)i/4 



dqi 



xexp(--(qB-gBo)7A') ks) , (60) 



1 - -A'^\ / ~ \ 1/2 

' = ( 1 - AM qA , (61) 



l + iA4 



l + iA4 



(62) 



The probability distribution for the outcome of Alice's 
measurement can be expressed as 



P{qA) = ^ exp (-A' 



9a 



(63) 



and we can easily see from eq. (^5|) that if Alice and Bob 
both measure g, then the difference of their outcomes is 
governed by the probability distribution 



Prob((7y 



1 



qB) 



exp[-(g^-te)VA'] . (64) 



Similar formulas apply if Alice and Bob measure p. 

Suppose that Alice and Bob try to distill one good 
qubit from the imperfect entangled state \iI}{A))ab- 
They both measure the stabilizer generators, that is, the 
values of q and p modulo ^/tt. Alice broadcasts her values, 
and Bob adjusts his values so that they agree with Al- 
ice's; thereby they obtain a pair of encoded qubits, which 
would have been in the state |(^+) if the initial pair of os- 
cillators had been a perfect EPR pair (A^ = 0). Then 
if Alice and Bob were to proceed to perform a complete 
Bell measurement on their encoded qubit pair, the prob- 
ability pz that they would find Z (g) Z = — 1 is no worse 
than the probability that, if qA and qs were measured, 
the results would differ by more than a/tF/^, or 



Pz 



< 



dq e 



2A 

< exp(-7r/4A2) 

TT 



(65) 



13 



and similarly for px (the probability that X ® X = —1). 
For the values of A that are typically of interest {e.g. A < 
1), the error probability is dominated by values of qa — Qb 
(or PA + Pb) lying in the range 3^/7F/2], so that 

the estimate of the error probability can be sharpened to 



Pz,Px 



3\/¥/2 



dq e 



(66) 



After error correction and measurement in the encoded 
Bell basis, the initial bipartite pure state of two oscilla- 
tors, with entanglement E given by eq. ( p8| ) and (|5^), is 
reduced to a bipartite mixed state, diagonal in the en- 
coded Bell basis, with fidelity F — (\ —pz)i^ — Vx)\ this 
encoded state has entanglement of formation 



(67) 



(where i?2 is the binary entropy function). 

If Alice and Bob have a large number n of oscillators in 
the state |^/'(A))^b, they can carry out an entanglement 
distillation protocol based on the concatenation of the 
single-oscillator code with a binary CSS code, and they 
will be able to distill qubits of arbitrarily good fidelity 
at a finite asymptotic rate provided that pz and px are 
both below 11%; from eq. ( |66| ) we find that this condition 
is satisfied for A < .784 (which should be compared with 
the value A = \/2 corresponding to a product of two 
oscillators each in its vacuum state). Thus secure EPR 
key distribution is possible in principle with two-mode 
squeezed states provided that the squeeze parameter r 
satisfies r > - logg(. 784/^2) = .590; from eq. (H) and 
(|67|), A — .784 corresponds to E = 1.19 ebits carried by 
each oscillator pair, which is reduced by error correction 
and encoded Bell measurement to E — .450 ebits carried 
by each of the encoded Bell pairs. 

Now consider the reduction of this entanglement dis- 
tillation protocol to a protocol in which Alice prepares 
a squeezed state and sends it to Bob. In the squeezed- 
state scheme, Alice sends the state \'ip{qA)) with proba- 
bility P{qA). The width A of the state that Alice sends 
is related to the parameter A appearing in the estimated 
error probability according to 



A-2 ^ A 



-•-(1 



Vl - A4) . 



(68) 



The state Alice sends is centered not at qA but at 
Qbo — Qa ■ — A^)^/^. Nevertheless, in the squeezed 
state protocol that we obtain as a reduction of the en- 
tanglement distillation protocol, it is qA rather than qso 
that Alice uses to extract a key bit, and whose value mod- 
ulo y/n she reports to Bob. The error probability that is 
required to be below 11% to ensure security is the prob- 
ability that error correction adjusts Bob's measurement 
outcome to a value that differs from qA (not qso) by an 
odd multiple of ^/tt. As we have noted, this error prob- 
ability is below 11% for A < .784, which (from eq. (jOS" 



corresponds to A < .749; this value should be compared 
to the value A = 1 for an oscillator in its vacuum state. 
Thus, secure squeezed-state key distribution is possible 
in principle using single-mode squeezed states, provided 
that the squeeze parameter r defined by A = satisfies 
r > — logg(.749) = .289. When interpreted as suppres- 
sion, relative to vacuum noise, of the quantum noise af- 
flicting the squeezed observable, this amount of squeezing 

can be expressed as 10 • logj^Q ^A^^^ ~ 2.51 dB. 

The error rate is below 1% for A < .483 (A < .486), 
and drops precipitously for more highly squeezed states, 
e.g., to below 10^® for A ~ A < .256. For example, 
if the noise in the channel is weak, Alice and Bob can 
use the Gaussian squeezed state protocol with A 1/2 
(see Fig. ||) to generate a shared bit via the qov p channel 
with an error rate (~ 1.2%) comfortably below 11%; thus 
the protocol is secure if augmented with classical binary 
error correction and privacy amplification. 




q or p 



FIG. 2. Probability distributions for the squeezed quan- 
tum key distribution protocol, with squeeze factor A — 1/2. 
The dotted line is the probability distribution P (a Gaus- 
sian with variance (1/2A^) ■ (1 — A"*)) that Alice samples to 
determine the center of the squeezed signal that she sends. 
The solid lines are the probability distributions in position or 
momentum of the squeezed states (Gaussians with variance 
A^/2, shown with a different vertical scale than P) centered 
at —\/tt, 0, and ^/tt. The intrinsic error probability due to im- 
perfect squeezing (prior to binary error correction and privacy 
amplification) is 1.2%. 

Of course, if the channel noise is significant, there 
will be a more stringent limit on the required squeez- 
ing. Many kinds of noise (for instance, absorption of 
photons in an optical fiber) will cause a degradation of 
the squeezing factor. If this is the only consequence of 
the noise, the squeezing exiting the channel should still 
satisfy A < .784 for th e pr otocol to be secure, as we dis- 
cuss in more detail in § VU . Otherwise, the errors due to 



imperfect squeezing must be added to errors from other 
causes to determine the overall error rate. 

So far we have described the case where the p states 
and the q states are squeezed by equal amounts. The pro- 
tocol works just as well in the case of unequal squeezing, 
if we adjust the error correction procedure accordingly. 
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Consider carrying out the entanglement distillation using 
the code with general parameter a rather than a = 1. 
The error rates are unaffected if the squeezing in q and 
p is suitably rescaled, so that the width of the q and p 
states becomes 



A„ 



A • a 



A/a 



(69) 



In this modified protocol, Alice broadcasts the value of 
q modulo ^/^T ■ a or the value of p modulo y^/a. Bob 
subtracts the value broadcast by Alice from his own mea- 
surement outcome, and then adjusts the difference he ob- 
tains to the nearest multiple of ^/n ■ a or y^/a. The key 
bit is determined by whether the multiple of ^/tt ■ a, ot 
y/n/a, is even or odd. 

Thus, for example, the error rate sustained due to im- 
perfect squeezing will have the same (acceptably small) 
value irrespective of whether Alice sends states with 
Aq = Ap = 1/2, or Ag = 1 and Ap = 1/4; Alice can 
afford to send coherent states about half the time if she 
increases the squeezing of her other transmissions by a 
compensating amount. 

Can we devise a secure quantum key distribution 
scheme in which Alice always sends coherent states? To 
obtain, as a reduction of an entanglement distillation pro- 
tocol, a protocol in which coherent states (A = 1) are 
always transmitted, we must consider the case A^ — 2. 
But in that case, the initial state of Alice's and Bob's 
oscillators is a product state. Bob's value of g or p is 
completely uncorrelated with Alice's, and the protocol 
obviously won't work. This observation does not exclude 
secure quantum key distribution schemes using coherent 
states, but if they exist another method would be needed 
to prove the security of such schemes. 

In general, the source that we obtain by measuring 
half of the entangled pair is biased. If A is not small 
compared to ^/n, then Alice is significantly more likely 
to generate a than a 1 as her r aw key bit. But as we 
have already discussed in §[IID, after error correction 



and privacy amplification, the protocol is secure ifpx and 
pz are both less than 11%. This result follows because 
the squeezed state protocol is obtained as a reduction of 
an entanglement distillation protocol. 



VII. LOSSES AND OTHER IMPERFECTIONS 

The ideal BB84 quantum key distribution protocol is 
provably secure. But in practical settings, the protocol 
cannot be implemented perfectly, and the imperfections 
can compromise its security. (See p8| for a recent discus- 
sion.) For example, if the transmitted qubit is a photon 
polarization state carried by an optical fiber, losses in 
the fiber, detector inefficiencies, and dark counts in the 
detector all can impose serious limitations. In particular, 
if the photons travel a distance large compared to the at- 
tenuation length of the fiber, then detection events will 



be dominated by dark counts, leading to an unacceptably 
large error rate. 

Furthermore, most present-day implementations of 
quantum cryptography use, not single photon pulses, 
but weak coherent pulses; usually the source "emits" 
the vacuum state, occasionally it emits a single photon, 
and with nonnegligible probability it emits two or more 
photons. Quantum key distribution with weak coherent 
pulses is vulnerable to a "photon number splitting" at- 
tack, in which the eavesdropper diverts extra photons, 
and acquires complete information about their polariza- 
tion without producing any detectable disturbance. A 
weaker pulse is less susceptible to photon number split- 
ting, but increases the risk that the detector will be 
swamped by dark counts. 

From a practical standpoint, quantum key distribution 
with squeezed states may not necessarily be better than 
BB84, but it is certainly different. Alice requires a source 
that produces a specified squeezed state on demand; for- 
tunately, the amount of squeezing needed to ensure the 
security of the protocol is relatively modest. Bob uses 
homodyne detection to measure a specified quadrature 
amplitude; this measurement may be less sensitive to de- 
tector defects than the single-photon measurement re- 
quired in BB84. 

But, as in the BB84 protocol, losses due to the ab- 
sorption of photons in the channel will enhance the error 
rate in squeezed-state quantum key distribution, and so 
will limit the distance over which secure key exchange is 
possible. We study this effect by modeling the loss as a 
damping channel described by the master equation 



P 



apa' 



-a^ap- -pa^a 



(70) 



here p is the density operator of the oscillator, a is the 
annihilation operator, and F is the decay rate. Eq. ( [70| ) 
implies that 



d , 4.fe 



i(fc + or(atV), 



where 



{0)t - tr (Opit)) 



(71) 



(72) 



denotes the expectation value of the operator O at time 
t. Integrating, we find 



(73) 



and so, by expanding in power series, 

(:/(at,a):)T = (:/(^at,ea):)o, ^ ^ e'^^^' (74) 

where / is an analytic function, and : / : denotes normal 
ordering (that is, in : f{a^, a) :, all a^'s are placed to the 
left of all a's). 

In T)articular, by normal ordering and applying 
eq. (11), we find 
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(75) 



where q = (a + a^) /V2 is the position operator. A sim- 
ilar formula applies to the momentum operator or any 
other quadrature amplitude. Eq. ( [zs]) shows that if the 
initial state at t = is Gaussian {q is governed by a Gaus- 
sian probability distribution), then so is the final state at 
t = T ijl^ . The mean (q) and variance Ag^ of the initial 
and final distributions are related by 



1 

~ 2 



(76) 



Now let's revisit the analysis of §VI, taking into ac- 
count the effects of losses. We imagine that Alice pre- 
pares entangled pairs of oscillators in the state eq. (55) 



and sends one oscillator to Bob through the lossy channel; 
then they perform entanglement purification. This pro- 
tocol reduces to one in which Alice prepares a squeezed 
state that is transmitted to Bob. In the squeezed- 
state protocol, Alice decides what squeezed state to send 
by sampling the probability distribution P{qA) given in 
eq. (|6^); if she chooses the value qa, then she prepares 
and sends the state |V'(qa)) in eq. (|60|). When it enters 
the channel, this state is governed by the probability dis- 
tribution 



P{qB\qA) 



1 



exp I -(gs - qsn) /A' 



(77) 



and when Bob receives the state this distribution has, 
according to eq. ([76|), evolved to 



P'(.qB\qA) = 



1 



:Cxp(-(gB-g^o)VA'^) 



(78) 



The protocol is secure if the error rate in both bases 
is below 11%; as in §VI, this condition is satisfied for 
A^ < .784. Thus we can calculate, as a function of the 
initial squeezing parameter A, the maximum distance 
dmax that the signal states can be transmitted without 
compromising the security of the protocol. 

For A < 1, we find 



(1.57)- A-|-0(A2 



(82) 



Thus, the more highly squeezed the input signal, the less 
we can tolerate the losses in the channel. This feature, 
which sounds surprising on first hearing, arises because 
the amount of squeezing is linked with the size of the 
range in qA that Alice samples. Errors are not unlikely if 
losses cause the value of qB to decay by an amount com- 
parable to \/tt/2. In our protocol, if the squeezed states 
have a small width A, then the typical states prepared by 
Alice are centered at a large value qA A~^; therefore, 
a small fractional decay can cause an error. 



without 
amplification 




0.1 0.2 0.3 0.4 0.5 0.6 0.7 



where 



q'so = ^qso ^ e(l - A4)V2^^ 
A'2 = e'A2 + (1 - ■ 



(79) 



By integrating over qA in P'{qA,qB) = P' {qslqA) ■ P{qA), 
we can obtain the final marginal distribution for the dif- 
ference qA — qs- 



1 



P'{qA - <Zb; = exp {-{qA - to)VA|) 

^_2^ A2 

« ~ l+e- 2C(1 - A4)l/2 + (1 _ ^2)^2 ' 



(80) 



which generalizes eq. (|6^). We can express the damping 
factor ^ as 



-K.d/2 



(81) 



where d is the length of the channel and is its at- 
tenuation length (typically of the order of 10 km in an 
optical fiber). 



FIG. 3. The effect of channel losses on the security of 
quantum key distribution using squeezed states. The maxi- 
mum length Kdmax of the channel (in units of the attenuation 
length) is plotted as a function of the width A of the squeezed 
state that enters the channel. For a longer channel, the error 
rate due to losses is too large and the proof of security breaks 
down. The curve labeled "with amplification" applies to the 
protocol in which the signal is amplified prior to detection in 
order to compensate for the losses; the curve labeled "without 
amplification" applies to the protocol in which the signal is 
not amplified. 

On the other hand, even without losses, Alice needs 
to send states with A < .749 to attain a low enough 
error rate, and as A approaches .749 from below, again 
only a small loss is required to push the error probability 
over 11%. Thus there is an intermediate value of A that 
optimizes the value of dmax, as shown in Fig. ^. This 
optimal distance, 



^max.opt 



.367 



(83) 



is attained for A ^ .426. 
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Our analysis so far applies if Alice and Bob have no 
prior knowledge about the properties of the channel. But 
if the loss — e^'^'^ is known accurately, they might 
achieve a lower error rate if Bob compensates for the loss 
by multiplying his measurement outcome by before 
proceeding with error correction and privacy amplifica- 
tion. This amplification of the signal by Bob is entirely 
classical, but to analyze the security in this case, we may 
consider an entanglement purification scenario in which 
Bob applies a quantum amplifier to the signal before mea- 
suring. Since the quantum amplifier (which amplifies all 
quadrature amplitudes, not just the one that Bob mea- 
sures) is noisier, the protocol will be no less secure if Bob 
uses a classical amplifier rather than a quantum one. 

So now we consider whether entanglement purification 
will succeed, where the channel acting on Bob's oscillator 
in each EPR pair consists of transmission through the 
lossy fiber followed by processing in Bob's amplifier. If 
the error rate is low enough, the key will be secure even if 
the amplifier, as well as the optical fiber, are under Eve's 
control. 

Bob's linear amplifier can be modeled by a master 
equation like eq. ([70|), but with a and interchanged, 
and where T is now interpreted as a rate of gain. The 
solution is similar to eq. ([74|), except the normal order- 
ing is replaced by anti-normal ordering (all a's are placed 
to the left of all a^'s), and with replaced by the gain 
= e^"^ > 1. We conclude that the amplifier trans- 
forms a Gaussian input state to a Gaussian output state, 
and that the mean (q) and variance Aq^ of the Gaussian 
position distribution are modified according to 



Ag2 ^ C^Aq"^ 



1 



(84) 



Other quadrature amplitudes are transformed similarly. 

Now suppose that a damping channel with loss is 
followed by an amplifier with gain Then the mean 
of the position distribution is left unchanged, but the 
variance evolves as 



1 



= Aq' + (r^ - 1) . 



1 



-AC 



1 



(85) 



For this channel, the probability distribution governing 
Qa ^ Qb is again a Gaussian as in eq. (^0|), but now its 
width is determined by 



(A?) 



amp 



1 - (1 - A4)l/2 + 



1)A2 



(86) 



Error rates in the q and p bases are below 11%, and the 
protocol is provably secure, for (Aj)^j^p < .784. 

By solving (A^)^^p = .784. we can find the maximum 

distance d (where = e"'*) for which our proof of se- 
curity holds; the result is plotted in Fig. |3[ When the 
squeezed input is narrow, A << 1, the solution becomes 



^ ^ = exp (k d„ 



1.307 -t-0(A2) 



.268 



(87) 



Comparing the two curves in Fig. y, we see that the pro- 
tocol with amplification remains secure out to longer dis- 
tances than the protocol without amplification, if the in- 
put is highly squeezed. In that case, the error rate in the 
protocol without amplification is dominated by the de- 
cay of the signal, which can be corrected by the amplifier. 
But if the input is less highly squeezed, then the protocol 
without amplification remains secure to longer distances. 
In that case, the nonzero width of the signal state con- 
tributes significantly to the error rate; the amplifier noise 
broadens the state further. 

With more sophisticated protocols that incorporate 
some form of quantum error correction, continuous- 
variable quantum key distribution can be extended to 
longer distances. For example, if Alice and Bob share 
some noisy pairs of oscillators, they can purify the en- 
tanglement using protocols that require two-way classi- 
cal communication [^ijjl^. After pairs with improved 
fidelity are distilled, Alice, by measuring a quadrature 
amplitude in her laboratory, prepares a squeezed state 
in Bob's; the key bits can be extracted using the same 
error correction and privacy amplification schemes that 
we have already described. 

Our proof of security applies to the case where 
squeezed states are carried by a lossy channel (assum- 
ing a low enough error rate), because this scenario can 
be obtained as a reduction of a protocol in which Alice 
and Bob apply entanglement distillation to noisy entan- 
gled pairs of oscillators that they share. More generally, 
the proof applies to any imperfections that can be ac- 
curately modeled as a quantum operation that acts on 
the shared pairs before Alice and Bob measure them. 
As one example, suppose that when Alice prepares the 
squeezed state, it is not really the g or p squeezed state 
that the protocol calls for, but is instead slightly rotated 
in the quadrature plane. And suppose that when Bob 
performs his homodyne measurement, he does not really 
measure q or p, but actually measures a slightly rotated 
quadrature amplitude. In the entanglement-distillation 
scenario, the imperfection of Alice's preparation can be 
modeled as a superoperator that acts on her oscillator be- 
fore she makes a perfect quadrature measurement, and 
the misalignment of Bob's measurement can likewise be 
modeled by a superoperator acting on his oscillator be- 
fore he makes a perfect quadrature measurement. There- 
fore, the squeezed state protocol with this type of imper- 
fect preparation and measurement is secure, as long as 
the error rate is below 11% in both bases. Of course, 
this error rate includes both errors caused by the chan- 
nel and errors due to the imperfection of the preparation 
and measurement. 

We also recall that in the protocols of ^ Alice's 
preparation and Bob's measurement were performed to 
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m bits of accuracy. In the entanglement distillation sce- 
nario, this finite resolution can likewise be well modeled 
by a quantum operation that shifts the oscillators by an 
amount of order 2"™ before Alice and Bob perform their 
measurements. Thus the proof applies, with the finite 
resolution included among the effects contributing to the 
permissible 11% error rate. The finite accuracy causes 
trouble only when Alice's and Bob's results lie a distance 
apart that is within about 2"™ of \/Tr/2; thus, just a few 
bits of accuracy should be enough to make this additional 
source of error quite small. 



VIII. CONCLUSIONS 

We have described a secure protocol for quantum key 
distribution based on the transmission of squeezed states 
of a harmonic oscillator. Conceptually, our protocol re- 
sembles the BB84 protocol, in which single qubit states 
are transmitted. The BB84 protocol is secure because 
monitoring the observable Z causes a detectable distur- 
bance in the observable X, and vice versa. The squeezed 
state protocol is secure because monitoring the observ- 
able q causes a detectable disturbance in the observable 
p, and vice versa. Security is ensured even if the ad- 
versary uses the most general eavesdropping strategies 
allowed by the principles of quantum mechanics. 

In secure versions of the BB84 scheme, Alice's source 
should emit single-photons that Bob detects. Since the 
preparation of single-photon states is difficult, and pho- 
ton detectors are inefficient, at least in some settings 
the squeezed-state protocol may have practical advan- 
tages, perhaps including a higher rate of key production. 
Squeezing is also technically challenging, but the amount 
of squeezing required to ensure security is relatively mod- 
est. 

The protocol we have described in detail uses each 
transmitted oscillator to carry one raw key bit. An ob- 
vious generalization is a protocol based on the code with 
stabilizer generators given in eq. (^), which encodes a 
d-dimensional protected Hilbert space in each oscillator. 
Then a secure key can be generated more efficiently, but 
more squeezing is required to achieve an acceptable error 
rate. 

Our protocols, including their classical error correction 
and privacy amplification, are based on CSS codes: each 
of the stabilizer generators is either of the "g"-type (the 
exponential of a linear combination of n g's) or of the "p- 
type" (the exponential of a linear combination of n p's) . 
The particular CSS codes that we have described in detail 
belong to a restricted class: they are concatenated codes 
such that each oscillator encodes a single qubit, and then 
a block of those single-oscillator qubits are assembled to 
encode k better protected qubits using a binary [[n, fc, d]] 
stabilizer code. There are more general CSS codes that 
embed k protected qubits in the Hilbert space of n os- 
cillators but do not have this concatenated structure [Q ; 



secure key distribution protocols can be based on these 
too. The quantum part of the protocol is still the same, 
but the error correction and privacy amplification make 
use of more sophisticated close packings of spheres in n 
dimensions. 

We analyzed a version of the protocol in which Alice 
prepares Gaussian squeezed states governed by a Gaus- 
sian probability distribution. The states, and the proba- 
bility distribution that Alice samples, need not be Gaus- 
sian for the protocol to be secure. However, for other 
types of states and probability distributions, the error 
rates might have to be smaller to ensure the security of 
the protocol. 

Our proof of security applies to a protocol in which 
the squeezed states propagate through a lossy channel, 
over a distance comparable to the attentuation length 
of the channel. To extend continuous-variable quantum 
key distribution to much larger distances, quantum error 
correction or entanglement distillation should be invoked. 

Strictly speaking, the security proof we have presented 
applies if Alice's state preparation (including the proba- 
bility distribution that she samples) can be exactly real- 
ized by measuring half of an imperfectly entangled state 
of two oscillators. The protocol remains secure if Alice's 
source can be well approximated in this way. Our proof 
does not work if Alice occasionally sends two identically 
prepared oscillators when she means to send just one; the 
eavesdropper can steal the extra copy, and then the pri- 
vacy amplification is not guaranteed to reduce the eaves- 
dropper's information to an exponentially small amount. 
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